
From 6 weeks to 6 minutes: protocols exploitation in a rapidly changing world 



Exploring and Exploiting Leaky Mobile Apps with BADASS 




GTE/GCHQ GA5A/CSEC 

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 



CflU ACCf 



GGHQ ^ 






Coming up... 





1) BADASS - From 6 weeks to 6 minutes: protocols 
exploitation in a rapidly changing world 

2 ) We Know How Bad You Are At “Angry Birds”: 

Exploring and Exploiting Leaky Mobile Apps with 
BADASS (OtH) 
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BADASS 




■ Protocols Exploitation at GCHQ 

■ Mobile Applications - a challenge 

■ BADASS - BEGAL Automated Deployment And 
Survey System 

■ UNIQUELY CHALLENGED - Rapid deployment 

■ SEM - more complex extractions 
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1303138597 6 62824 80 

Google -Prefid -Cookie 16 8df8675ed8762cb2 TDI-Scope 
7 Machine Route 12 192.168.0.51 HHFP-Hash 8 
4909f 053 User -Agent 138 Mozilla/4.0 (compatible; 
MSIE 8.0; Windows NT 6.0; W0W64; Trident/4.0; 

SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; 

.NET CLR 3.0.30729) Host 17 news.google.co.uk Geo- 
IP-Dst 38 37.4192; -122. 0574; MOUNTAINVIEW; US; 6LLM 
Event-security-label 6 10007F Stream-security-label 
10 400023E0FF Source-Bearer 4 TEST 
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<surveyRule> 

<ruleName>Google-Prefid-Cookie</ruleName> 

<action> 

<actionType>EVENT</actionType> 

<eventFormat>PRESENCE</eventFormat> 

<eventLogicalDestination>presence</eventLogicalDestination> 

<presenceEventldentifierType>Google-Prefid- 

Cookie</presenceEventldentifierType> 

<presenceEventUseSourcelp>true</presenceEventUseSourcelp> 

<presenceEventTIType>TDI</presenceEventTIType> 

<presenceEventGenerationType>MACHINE</presenceEventGenerationTy 

pe> 

</action> 

<criterionSet> 

<criterion> 

<fspfTasking> 

<selectorType>string</selectorType> 

<selector>; PREF=ID=</selector> 

<bitMask/> 

<caseSensitive>true</caseSensitive> 

<position>-l</position> 

<protocolLayer>APPLICATION_LAYER</protocolLayer> 

<numSubsequentPacketsToForward>0</numSubsequentPacketsToForwa 

rd> 




TDI (Config) 



BEGAL (App) 



PPF (Framework) 
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The Good Old Days 



UK TOP SECRET STRAP15 NOPERSON 
TOBESTOREDININACCESSIBLEFOLDERINGTESHAREDDRIVE 



^GCHQ 



Application: 



Bebo Mobile Service 

bebo 



OPD-GTE 





VOB 

Datastore (x 2!) 

BADASS. 
Matrix reports 
Spreadsheets 
Etc.. 





1 £ s 



Mobile Applications - Some Stats 
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Why? 





Many different platforms (iOS, Android, WP7, 
Blackberry) 

App store business model - everyone is writing 
software 

Much greater diversity of software 
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(Basket) Case Studies 




GMM - 18 months from analysis to deployment 



TDIs - typical time from rule 
completion to deployment ~ 3 
months 




Your approximate location 

Press anytime to recenter 
lOKl to learn more 



eaciae 



j : Your approximate location 
to within 300m 



Search 



Menu 
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Intro to BADASS 





BEGAL Automated Development / Deployment 
And Something Something 



Protocols Analyst 
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Google mobi I eniaps-OOOe-Body 



Back to list | Copy this rule 



Rule Properties show 
Rule text 



Edit XML/YAML 



Testing status Produced an invalid result in the FKB pcap testj and testing has been suspended 
Testing Progress (GTE) RulesGTieck DKBrPCAP FK^f AP FKB-Soak 



Deployment status DEPLOYED 




Deployment Progress 
(TPS) 



Submission HB RrnSritv Deplt-y 



deployed in heartbeats: 



Version definition hide 



<surveyRule> 

< ru 1 eName > M_Goog 1 emob 1 1 emaps-0 0 0 e-Body < /ru 1 eName > 

<action> 

< ac 1 1 onTy pe > EVENT < /ac t i onType > 

< event For mat > PRESENCE < /event Format > 

< e ven t Log l ca 1 Des 1 1 na 1 1 on > presence < /even t Log l cal Des t i na 1 1 on > 

< presence Event I dent if ierType>M_Googlemobi lemaps-00 0 e-Body </presenc 
< presence Even t UseSourcelp >true< /presenceEven tUseSourcelp > 

< presenceEven t T I Ty pe > TD I < /pr esenceE ven t T I Type > 

< presenceEven t Genera tionType> MACH I NE< ZpresenceEventGenerationType> 

< /act ion > 

<critenonSet > 

<criterion> 

< f spf Tasking> 

<selectorType>string</selectorType> 

<selector>/gl m/mmap < /sel ec t or > 

<bitMask/> 

< caseSens i t i ve > t r ue < /caseSens i 1 1 ve > 

< posit ion >-l< /position? 

< protocol Layer >APPLICATIQM_LAYER< /protocol Layer > v 

a 



m 
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Logs: |show| 

Packet Dump 

hide 



Hexdump 



download as pcap 

Packet #1 

Timestamp: 2011-04-12 16:25:11 



Network layer; prot.ocol=TCP srcip= 

0000: 4500 0177 8258 4000 4006 4859 0a40 add5 

0010: dl55 e564 

Transport layer; srcport=50323 destport=8Q 

0014: c493 0050 9adl 405b 56d8 dc5d 8018 7d78 
0024: abf 7 0000 0101 080a ffff c224 2ee0 c3b2 

Application layer 

0034: 5Q4f 5354 2p |2f 676c 6d2f 6d6d 617p| 2048 



destip= 

E . . u . X6 . 6 . HY . @ . 

.U.d 

. . .P. .0 [V. .] . . }x 

$ . . . . 



Ifragof f=0 



5454 502 f 3 12e 3 lOd 
2d54 7970 653a 2061 
6i 6e 2f 62 696e 6172 
6e74 2 d.4c 656e 6774 
486f 7374 3a20 6d6f 
2e63 6c69 656e 7473 
63 6f 6d0d Ca43 6f6e 



0a43 6f 6e 7465 6e74 
7070 6c69 6361 7469 
790d 0a43 6f6e 7465 
683a 2036 3530 OdOa 
6269 6c65 6d61 7073 
2e67 6f 6f 676c 652e 
6e65 6374 696f 6e3a 



204b 6565 702d 416c 6976 650d |0a55 73 65 | 
722d 4167 656e 743a 2o|4d 6f7a 696c 6c61 



00d4 : 2f 35 2e30 2028 4c69 

00e4: 416e 6472 6f69 6420 

00±4 : 7465 313b 2065 6e2d 

0104: 4465 7369 7265 2042 

0114: 3237 2920 4170 706c 

0124: 3533 302e 3137 2028 

0134: 696b 6520 4765 63 6b 

0144: 6f 6e 2f34 2e30 204d 

0154: 6661 7269 2f35 3330 

0164: 766f 2045 5245 3237 293b 2067 7a69 7Q |Qd | 

0 174 : [~~0a0d 0a| 



6e75 783b 2055 3b20 
322e 3 12d 7570 6461 
6762 3b20 4854 4320 
7569 6c64 2f45 5245 
6557 6562 4b69 742f 
4b 4 8 544d 4c2c 206c 
6f 29 2056 6572 7369 
6f 62 696c 6520 5361 
2e3 1 3720 2862 7261 



POST l/glrci/rmnapl H 5: AP PLICATION | ANY | FWD 1 1 1 C | /glm/mmap 

TTP/ 1.1.. Content 

-Type: applicati 

on/binary. .Conte 

nt-Length: 650.. 

Host: itiobilemaps 
.clients . google . 
com. .Connection: 

Keep-Aliv e . |.Use | C : APPLICATION | ANY| TAG 1 0 1 1 1 \nUser -Agent: 

| r-Agent: | Hoailla 
/ 5 . 0 [Linux; U; 

Android 2 . 1-up da 
tel; en-gb; HTC 
Desire Bui Id/ ERE 
27] Apple WebKit/ 

53 0.17 ( KHTML , 1 
ike Gecko) Versi 
on/ 4.8 Nobile Sa 
fari/530.17 (bra 

vd_ ERE27); gzip[7~| E: APPLICATION! ANY | TAG 1 0 1 C | \r\n\r\n| f £f ff £ff 

\~2 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 







Things worth mentioning 



• Testing - increased confidence in rules produced by 
GTE 

• Training - can use web interface to educate, and to prevent 
common mistakes 

• Deduping effort - knowledge of what has already been done 

• Became corporate TDI repo through back door 

• Devolved management of protocols - no one person has to 
oversee all of them 
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UNIQUELY CHALLENGED 
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UNIQUELY CHALLENGED 



[V 









buiae _ . 

Engine 


btats ( □ A □ t Lr I b H j 

Enaine 


Tracker Engine Tasking 


BISHOP 


Active Taskings 


All Current Taskings 


Taskings Pending Approval 


Expired Taskings 


Removed Taskings 


New Tasking 



Rules to Task 



Rule Library 


Selected Rules -> Destinations 


Show: All Rules v Filter: 


lOjqka-Uname-Body-login H 

lOjqka-User-Cookie 

126-Mail126_ssn-Cookie 

126-Mail_uid-Cookie 

126-Netease_ssn-Cookie 

12G-Ntsjnail_user-Cookie 

126-Username-Uri 

126-Username-Uri_1 

1G3-Mail163_ssn-Cookie 

163-Mail_uid-Cookie v 




Add Rule to Selection for destination: f" v 


Remove Rule from Selection 


Deploy to Corporate MVR? 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
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UNIQUELY CHALLENGED 




One person has complete 
oversight of a technology from 
analysis to deployment - 
important for rapidly changing 

protocols 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 



SEM - the future 





Developed by ICTR at GCHQ 
Complex events - More than just TDIs 
Social interactions 
Geo 

Network Events 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
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SEM 



Kule Miters 

Browse the current rules using [n]one or more filters 

Rule Descriptor Descriptor Value 




Results 

E Actor 
E Actor 
E Actor 
E Actor 
E Actor 
E Actor 
E Actor 
E Actor 
E Actor 



| Direct 


Facebookl 


j Direct 


Facebookl 


j Direct 


Facebookl 


j Direct 


Facebookl 


j Direct 


Facebookl 


j Direct 


Facebookl 


j Direct 


Facebookl 


j Direct 


Facebookl 


j Direct 


Facebookl 



identity- 

identity- 

identity- 

identity- 

identity- 

identity- 

identity- 

identity- 

identity- 



present 

present 

present 

present 

present 

present 

present 

present 

present 



|login_x-Cookie Teditl fcreate likel iyaml editi [vaml create nkei 
|login_x-Set-Cookie Teditl fcreate likel rvAML editi iyaml create likel 
llxe-Cookie f editi fcreate likel ivaml editi rvAML create likel 
|lxe-5et-Cookie f editi fcreate likel ry aml editi rvAML create like! 
Imobile-email-Method-Body feditl fcreate likel rvAML editi ry aml create like 
|mobile-m_user-Cookie feditl fcreate likel ivaml editi rvAML create likel 
I reg_fb_gate-Set-Cookie feditl fcreate likel rvAML editi rvAML create like! 

I reg_fb_ref-Set-Cookie feditl fcreate likel iyaml editi rvAML create likel 
_user|c_user-Cookie feditl fcreate likel rvAML editi rvAML create likel 



_orignal_tdi_rule : Facebook-ID-HTTF-Cookie-cuser 

_orignal_tdi_type : Facebook-CUser- Cookie 

_rule_creator : 3 j car to 

_rule_editor : kbbaldu 

_rule_status: locked 

<lat.a_stream: HTTP-Recjuest. 

extract : 

- context: Cookie 

pattern: 1 [ ? : A | [ ; ] ) c_user= ( [ A ; ]+) 1 

extraction: Direct 

itemattr ibution : Actor 

item_class: identity-present 

items cope: User 

item^service : Facebook 

item^techcontext : c_us er-Cookie 

i teletype : uid-c_use r 

item^uni verse : s e rvi c e 

rule: Actor I Direct I Facebook I identity-presentluid-c_-user I c_user-Cookie 



Cookie 

1 [ ?: A I [ ; ] ) c_user= if 7 
Direct 
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Over to Marty... 
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Coming up... 





•Quick Overview: Ads and Analytics in the Mobile Realm 
•Ads (Mobclix, AdMob, Mydas) 

•Analytics (Dataflurry) 

•Updates to Android IDs 

•Windows Phone 7 User and Device IDs 

•Abusing BADASS for Fun and Profit 
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Ads and Analytics in the Mobile Realm 



Q: Why bother looking at mobile ads and analytics? 



tier 

iPhone i *Pad Apps 




Mobile 




n 

Android Apps 

Wrdi i-. e ir# 






Marketing 




Marketing 


Business * iPhone 
AppDmfcpment 


Marketing 




sPhone 

wtANnu 




— 
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A: Developers use them to make money! 

Ads and analytics support the developer with: 

•App Development 
•User Experience 
•App Marketing 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
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Ads are used as a means of generating revenue for a 
developer 

• Advertisers need information about the device/user to 
properly target ads 

• Unlikely to see ads in an app that charges 

• Many developers are releasing dual versions of apps: 
ad-supported and paid 

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on 




Ads and Analytics in the Mobile Realm 
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Analytics are used as a means of generating usage metrics 
for a developer 

•“Anonymous usage statistics” 

•Present in both paid and free apps 

•Developer is presented with aggregate data for an app 



This information is exempt from disclosure under the Freedom of Information Act 2000 and mav be subiect to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 









WSJ: Mobclix, the ad exchange, matches more than 25 ad networks 
with some 15,000 apps seeking advertisers. The Palo Alto, Calif., 
company collects phone IDs, encodes them (to obscure the number 
), and assigns them to interest categories based on what apps 
people download and how much time they spend using an app, 
among other factors. By tracking a phone's location, Mobclix also 
makes a "best guess" of where a person lives, says Mr. Gurbuxani, 
the Mobclix executive. Mobclix then matches that location with 
spending and demographic data from Nielsen Co. 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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GET |/?p=android 
&i={GUID} 

&s=320x50 (ad size) 
&av=l .4.2 



&u={IMEI} 

&andid={And roid ID} 



&v=2 .3.0 
&ct=null 

&dm={Phone Name} 

&hwdm={Phone HW Model} 

&sv={0S Version}&ua={User-Agent} 



&ll=51.903699%2C- 2. 078062 



&l=en_GB HTTP/1.1 
Cookie : 

User-Agent: ... 

Host: ads.mobclix.com 
Connection: Keep-Alive 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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Ads: Mobclix 



GET /?p={platform} 
&i={GUID} 

&s=320x50 (ad size) 

&av=1.4.2 

&u={IMEI} 

&andid={Android ID} 

&v=2 .3.0 
&ct=null 

&dm={Phone Name} 
&hwdm={Phone HW Model} 
&sv={0S Version} 
&ua={User-Agent} 

&o=0 

&ap=0 

&ll=51 . 903699%2C-2 . 078062 
&l=en_GB HTTP/ 1.1 
Cookie : 

User-Agent: ... 

Host: ads.mobclix.com 
Connection: Keep-Alive 



•GET request indicates platform and the device 
identifier 

•the order of the p argument in the GET can 
vary between platforms 
•II is latjong; not always present 
•Uses multiple URLs for activities: 

•Ads: ads.mobclix.com 
•Analytics: data.mobclix.com/post/sendData 
•Feedback: data.mobclix.com/post/feedback 
•Config: data.mobclix.com/post/config 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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Cross-Platform Ads: Mobclix 






GET /?p={platform} 

&i={GUID} 

&s=320x5O (ad size) 

&av=1.4.2 

&u={IMEI} 

&andid={Android ID} 

&v=2 .3.0 
&ct=null 

&dm={Phone Name} 

&hwdm={Phone HW Model} 

&sv={0S Version} 

&ua={User-Agent} *: WP7 Mobclix SDK still in beta 

&o=0 



Argument 


iPhone 


Android 


WP7* 


{platform} 


iphone 


android 


? 


M 


UDID 


AndID, or 
IMEI when 
{andid} is set 


? 


{andid} 


N/A 


And ID 


N/A 



&ap=0 

&ll=51 . 903699%2C-2 . 078062 
&l=en_GB HTTP/ 1.1 
Cookie : 

User-Agent: ... 

Host: ads.mobclix.com 
Connection: Keep-Alive 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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Cross-Platform Ads: AdMob 



GET /p/i/e2/9b/e29ble7503a5b24b3e693ece2c887173 . png HTTP/1 . 1 




Host: mm.admob.com 

User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; HW 
iPhonel, 2; en_us) AppleWebKit/525 . 18 . 1 (KHTML, like Gecko) (AdMob-iSDK- 
20090617) 



X-Admob-lsu : 7355c9d9f7dl033e0fe3eel3513366ad6917O013 
Accept: */* 

Accept-Language : en-us 

Accept-Encoding : gzip, deflate 

Cookie : uuid=81a66cc2cf 3f 554e02f 089c04d8d4f cb ; 



admob UU=48617727332748471264744376038126 



Connection: keep-alive 




The isu can appear both as an argument in a POST or in the X-ADMOB-ISU 
HTTP header extension. The value itself is 32-40 bytes long. 

Hosts using this value consistently: r. admob. com, mm.admob.com, 
mmv.admob.com, and a.admob.com 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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Cross-Platform Ads: AdMob 



GET /p/i/e2/9b/e29ble7503a5b24b3e693ece2c887173 . png HTTP/1 . 1 




Host: mm.admob.com 

User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; HW 
iPhonel, 2; en_us) AppleWebKit/525 . 18 . 1 (KHTML, like Gecko) (AdMob-iSDK- 
20090617) 



X-Admob-lsu : 7355c9d9f7dl033e0fe3eel3513366ad6917O013 
Accept: */* 

Accept-Language : en-us 

Accept-Encoding : gzip, deflate 

Cookie : uuid=81a66cc2cf 3f 554e02f 089c04d8d4f cb ; 



admob UU=48617727332748471264744376038126 



Connection: keep-alive 




The platform can be identified by the User-Agent string: 

• iPhone: AdMob-iSDK-20yymmdd 

• Android: AdMob-ANDROID-20yymmdd 

• WP7: possibly AdMob-WINDOWSPHONE7-20yymmdd; observed 
20yymmdd-WINDOWSPHONE7-AldaritSuperAds 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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Cross- Platform Ads: AdMob 



POST /adsource . php HTTP/1.1 
Accept: */* 

Content-Length: 277 
Accept -Encoding : identi 
Content-Type: applicati 
User-Agent: {User-agent 
Host: r. admob.com 
Connection: Keep-Alive 
Cache-Control: no-cache 
. . . rt=0 

&u={User-Agent} 

&isu={isu} 

&ex=l 

&client_sdk=l 
&l=en 
&f=j sonp 
&z=1304518478 
&s=al4d248b5738462 
&v=2O101123-WINDOWSPHONE7-Alda ritSuperAds 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 



Argument 


iPhone 


Android WP7 


{isu}* 


iPhone 
UDID, or 
MD5 hash of 
the int val of 
the UDID 


MD5 hash of SHA1 hash 
the int val of of the int val 
the Android of the Device 
ID ID 



*: isu can appear both as an argument in a POST 
or in the X-ADMOB-ISU HTTP header extension 
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Cross-Platform Ads: Mydas 




GET /getAd.php5? 
sdkapid=35447 
&auid={Phone IMEI} 

&ua={User-Agent} 
&mmisdk=3.6.3-10. 10.26. 
&kw={keywords for app} 
&mode=live 

&adtype=MMBannerAdTop 
HTTP/ 1.1 



Argument 


iPhone 


Android 


WP7 


{auid} 


? 


IMEI 


Base64- 

encoded 








integer value 
of Device ID 


HTTP Host 


? 


androidsdk. 


ads.mp. 






ads.mp.myd 
as. mobi 


mydas. mobi 



Host : and roidsdk . ads . mp . mydas . mobi 

Accept-Encoding : gzip 
Accept-Language: en-GB, en-US 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 





Analytics: Dataflurry 




Analytics firm Flurry estimates that 250,000 Motorola Droid 
phones were sold in the United States during the phone's 

first week in stores. 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 









Analytics: Dataflurry 



Managing User Privacy Expectations 

Although some users may be concerned about their privacy, all data is gathered 
anonymously. On Finch Media’s own website, the company states that when Pinch 
Analytics is installed within an application, the following information is sent back 
on each application run: 

• A hardware identifier not connectable to any personal information 

• The model of the phone (HTC, Samsung, LG, Droid 2, and so on) and 
operating system (2.1, 2.2, and so on) 

• The application’s name and version 

• The result of a check to see if the device has been jailbroken 

• The result of a check to see if the application has been stolen and the 
developer hasn’t been paid 

• The length of time the application was run 

• The user’s location (if the user explicitly agrees to share it) 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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• The gender and age of the user (if the application uses Facebook 
Connect) 

None of this information can identify the individual. No names, phone numbers, 
email addresses, or anything else considered personally identifiable information is 
ever collected. The information sent from applications, when it arrives at the 
servers, is quickly converted to aggregated reports — unprocessed data is processed 
as quickly as possible. The aggregated reports show counts and averages, not any- 
thing user specific. For instance, a developer can see the following information: 

• The number of distinct users who’ve accessed the application 

• The average length of time the application was used 

• The percentage of phones using each operating system 

• The percentage of each model of phone (3G, 3GS, and so on) 

« A breakdown of user locations by country, state, and major metropoli- 
tan area (for example, 20,000 in USA, 700 in New York state, 500 in 
New York City) 

• The percentage of users of each gender 

• The percentage of users by “age bucket” (21-29, 30-39, and so on) 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 






Analytics: Dataflurry Example 



POST http://data.flurry.com/aar.donull HTTP/1.1 



Host: data.flurry.com 
Proxy-Connection: keep-alive 
Content -Type : application/octet -stream 
Content-Length: 1395 




Connection: close 



0? . n . . IPF9LEEU8YW9ICKDSIUQ ..2.0.74.. BBPIN574646979 0? 0? device . m 

odel. . Blackberry8900. .device. manufacturer. .Research In 

Motion . . device . os .version . .5.2.0.31. . runtime . total . memory. . 169452204. . storage. available. 

. 524280 . . audio . encodings . , encoding=audio/amr encoding=pcm 

encoding=gsm. . microedition . commports . .USB1. . microedition . configuration . .CLDC- 

1.1. . microedition . encoding . .IS088591. . microedition . global . version . .1.0. . microedition. lo 
cale . . en- 

GB. .microedition. platform. . BlackBerry8900/5 . 0 . 0 . 411 . . microedition . prof iles . .MIDP- 

2.1. .wireless . messaging . sms . smsc . 

+441234567890 . .wireless . messaging . mms . mmsc .&http : //mms . mycarrier . co . uk/servlets/mms . . jav 
ax . bluetooth . LocalDevice . . t rue . ) j avax . mic roedition . content . Content Handle r . . t rue . ) 
javax. microedit ion. global. ResourceManager. . t rue. &j avax. microedit ion. io.SocketConnect ion. 
.true . ) javax . microedition . io . file . FileConnection . .true . 

$javax. microedition. location. Location. .true. - 

javax. mic roedition .media . cont rol . VideoCont rol . .true. . javax. mic roedition .media . control . Re 
cordControl. .true. , javax. microedition. payment. TransactionModule. .false. . javax. microediti 
on. pirn. PIM. .true. 

$ javax. mic roedition. sip . SipConnection . . false.* javax. mic roedition. sip.SipServerConnection 
. .false. .javax. obex. Operation. . true. *javax. wireless. messaging. MessageConnection. .true. 

$j avax. wireless . messaging .TextMes sage. .true. ) 

Act 2000 and may be subject to exemption under 

other UK information legislation. Refer disclosure requests to GCHQ on or email 





Analytics: Dataflurry Example (Device Identifier) 



POST http://data.flurry.com/aar.donull HTTP/1 1 

Host: data.flurry.com 

Proxy-Connection: keep-alive 

Content -Type : application/octet -stream 

Content-Length: 1395 

Connection: close 



0? . n . . IPF9LEEU8YW9ICKDSIUQ ..2.0.74.. BBPIN574646979 0? 0? device . m 



-BlackBerry: BBPIN574646979 22406AC3 

’Android: AND{AndroidlD, 16 hex bytes} 
'iPhone: IPHONE{iPhoneUDID, 40 hex bytes} 
'Symbian: ID{SomelDNumber, 8-10 digit int} 
•IMSI: IMSI{IMSI} 

•IMEI: IMEI{IMEI, 15 digit int} 



.able. 



.on . lo 



:tion 



rol . Re 
oediti 

action 



. .false. . i T ^ t = Irue. 

$j avax .wireless . messaging .TextMes sage . .true . ) 

Act 2000 and may be subject to exemption under 

other UK information legislation. Refer disclosure requests to GCHQ on or email 
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Analytics: Dataflurry Example (Device Metadata) 




POST http://data.flurry.com/aar.donull HTTP/1.1 
Host: data.flurry.com 
Proxy-Connection: keep-alive 
Content -Type : application/octet -stream 
Content-Length: 1395 
Connection: close 

0? . n . . IPF9LEEU8YW9ICKDSIUQ ..2.0.74.. BBPIN574646979 0? 0? device . m 

odel. . Blackberry8900. .device. manufacturer. .Research In 

Motion. .device. os. version. .5.2.0.31. . runtime. total. memory. . 169452204. .storage. available. 

. 524280 . . audio . encodings . , encoding=audio/amr encoding=pcm 
encodii 

1.1. . m 

cale . . i 
GB. .mi 

2.1. . w 
+44123. 
ax . blui 
javax.i 
.true. 

$javax 
javax.i 
cordCo 
on . pirn 
$javax 

. .false. . javax. obex. Operation. . true. *javax. wireless. messaging. MessageConnection . .true. 

$j avax .wireless . messaging .TextMes sage . .true . ) 

JThVf l ihf<^frld?ibH^#e^^|5t5 1 l9eWi9lrTdt6!5i!ar^i^dyr < ^^Pi^?edorh , dfTnformation Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 



Handset is RIM BlackBerry 8900 with OS 5.2.0.31 

device. model Blackberry8900 
device. manufacturer Research In Motion 
device. os.version 5.2.0.31 
runtime.total. memory 169452204 
storage. available 524280 



lo 



av 
n . 

Re 

ti 

on 





Analytics: Dataflurry Example (Device Metadata) 



POST http://data.flurry.com/aar.donull HTTP/1.1 
Host: data.flurry.com 
Proxy-Connection: keep-alive 
Content -Type : application/octet -stream 
Content-Length: 1395 

Connection: close 

Phone Number and Carrier Information 

wireless, messaging, sms. smsc +441234567890 
wireless, messaging, mms.mmsc 
http://mms.mycarrier.co.uk/servlets/mms 

cale . . en- 

GB. .microedition . platform. . BlackBerry8900/5 . 0 . 0 . 411 . . microedition . prof iles . .MIDP- 
2.1. .wireless . messaging . sms . smsc . 

+441234567890 . .wireless . messaging . mms . mmsc .&http : //mms .my carrier . co . uk/servlets/mms . . jav 
ax . bluetooth . LocalDevice . . t rue . ) j avax . mic roedition . content . Content Handler . . t rue . ) 
javax. microedit ion. global. ResourceManager. . t rue. &j avax. microedit ion. io . SocketConnect ion. 
.true . ) javax .microedition . io . file . FileConnection . .true . 

$javax. microedition. location. Location. .true. - 

javax. mic roedition .media . cont rol . VideoCont rol . .true. . javax. mic roedition .media . control .Re 
cordControl. .true. , javax. microedition. payment. TransactionModule. .false. . javax. microediti 
on. pirn. PIM. .true. 

$j avax . mic roedition . sip . SipConnection . . false . * j avax . mic roedition . sip . SipServerConnection 
. .false. .javax. obex. Operation. . true. *javax. wireless. messaging. MessageConnection . .true. 

$j avax .wireless . messaging .TextMes sage . . t rue . ) 

Act 2000 and may be subject to exemption under 

other UK information legislation. Refer disclosure requests to GCHQ on or email 






Analytics: Dataflurry Breakdown 



n 1 nTTV/F n 11 iti # r- i mrN r -r i / 

* . . . - DJPTCYhv viv3nyu.5roii\ . 

IPHONEa7deb7b28a94c880f6f80f6b02bee4161 

iOS4De 



. 1 . 1 . 1 . 

dl57122 
vice . . . 



Dataflurry App Metadata 

Contains a unique identifier for the application and 

the version number 



Level 



restarte 

started. . . .From. .complete menu. .Level. 

19 D Level 

restarted. . . .From. .pause menu. .Birds 
used. .3. .Birds available. .3. .Level. . -1 

19 . . Attempts . . 1 Level 

complete. . . . 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 





Analytics: Dataflurry Breakdown 



*. . . - DJPTCYNVVIV5H9D3R5IK. 

.1.1.1 IPHONEa7deb7b28a94c880f 6f 80f 6b02bee4161 

dl57122 ...-./ - device . model . 1 . . iOS4De 

vice 1.1.1... - .wVH VG 



restarte< Dataflurry Device Metadata 

Sta rted . Contains a unique identifier for the handset and 

19 properties of the handset 

restarted. . . .From. .pause menu. .Birds 
used. .3. .Birds available. .3. .Level. . -10- 



. . Level 



19 . . Attempts . . 1 Level 

complete. . . . 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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. 1 . 1 . 1 . . 
dl57122 . 
vice 



Analytics: Dataflurry Breakdown 

* ... - DJ PTCYNVVIV5H9D3R5IK . 

. iOS4De 



App Analytics Metadata 

Developer-specified application analytics 



Level started . . . 

Level 1 complete Level 

From. .complete menu. .Level. . -10- 

Level 

.. From. . pause menu.. Birds 
used. .3. .Birds available. .3. .Level. . -10- 

19 . . Attempts . . 1 Level 

complete. . . . 



restarted . 
started . . . 

19 D 

restarted . 



Level 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 






Analytics: Dataflurry Device Metadata 



Device Hardware 

•device. model 
•device. manufacturer 

Phone Information 

•wireless. messaging. sms. smsc 
•wireless. messaging. mms.mmsc 
•IMSI 
•IMEI 



OS Information 

•build. brand 
•build. id 

•device. os.version 
•version. release 



Cell Network Metadata 

•network, mcc 

•network.mnc 

•network.lac 

•network.cellid 

•com.sonyericsson.net.cellid 

•com. sonyericsson.net. lac 

•com. sonyericsson.net. mcc 

•com.sonyericsson.net.mnc 

•CelllD 

•cellid 

•LAC 

•Lac 

•lac 

•MCC 

•Mcc 

•mcc 

•MNC 

•Mnc 

•mnc 

•com.nokia.mid.countrycode 
•com. nokia. mid. cellid 
•com.nokia.mid.networkid 
•com. nokia. network. access 




This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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Analytics: Dataflurry Device 




Metadata 



•device. model 
•devi ce. man ufactu rer 
•device. os. version 
•devi ce . software . ve rsio n 
•build. brand 
•build. id 

•version, release 

•runtime.total. memory 

•storage. available.size 

•audio. encodings 

•microedition, commports 

•microedition. configuration 

•microedition. encoding 

•microedition. global, version 

•microedition. locale 

•microedition. platform 

•microedition. profiles 

•wireless, messaging, sms.smsc 

•wireless.messaging.mms.mmsc 

•javax.bluetooth.LocalDevice 

•javax.microedition.content.ContentHandler 

•javax.microedition. global. ResourceManager 

•javax.microedition.io.SocketConnection 

•javax.microedition. io.file.FileConnection 

•javax.microedition. location. Location 

•javax.microedition. media.control.VideoControl 

•javax.microedition. media.controI.RecordControl 

•javax.microedition. payment.TransactionModule 

•javax.microedition. pirn. PIM 

•javax.microedition. sip. SipConnection 

•javax.microedition. sip. SipServerConnection 

•javax. obex. Operation 

•javax.wireless. messaging. MessageConnection 
•javax.wireless.messaging.TextMessage 
•javax.wireless. messaging. MultipartMessage 



pur. date 
r el. date 
pur.price 
store. id 

bluetooth. api.version 

fileconn.dir.memorycard 

fileconn.dir.photos.file 

fileconn. dir. photos. name 

fileconn.dir.private.file 

fileconn. dir.videos.file 

fileconn. dir. photos. name 

fileconn. dir.tones 

fileconn. dir. tones.name 

microedition. chapi. version 

microedition. io.file.FileConnection.version 

microedition. jtwi.version 

microedition. m3g. version 

microedition. pirn. version 

microedition. location.version 

supports. audio. capture 

supports. mixing 

supports. recording 

supports.video. capture 

video. snapshot. encodings 

microedition. media.version 

stream able, contents 

video. encodings 

com.sonyericsson.net.cellid 

com. sonyericsson.net. lac 

com.sonyericsson.net.mcc 

com.sonyericsson.net.mnc 

microedition.timezone 

microedition. hostname 

IMEI 

IMSI 



•network.mcc 

•network.mnc 

•network.lac 

•network.cellid 

•CelllD 

•Cellid 

•cellld 

•LAC 

•lac 

•Lac 

•MCC 

•Mcc 

•mcc 

•MNC 

•Mnc 

•mnc 

•co m mpo rts . m axb aud rate 
•com.nokia.mid.countrycode 
•com. nokia.mid. cellid 
•com.nokia.mid.networkid 
•com. nokia.network. access 
•vers ion. release 
•country, code 
•default.timezone 
•storage. available 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 




Mobile Gateway HTTP Headers and Data Aggregators: DataFlurry 

POST /aar.do HTTP/1.0 
Connection: Keep-Alive 

User-Agent: SonyEricssonS500i/R8BA Profile/MIDP-2 . 0 Conf iguration/CLDC-1 . 1 



UNTRUSTED/1.0 



Host: data.flurry.com 
Accept: */* 

Accept-Charset : utf-8, iso-8859-1 
Content -Type : application/octet -stream 
Content- Length : 2327 

Via: infoX WAP Gateway V300R001, Huawei Technologies 
x- up-calling-line-id : +44 
x-forwarded-for : 
x-huawei-IMSI : 



% KHFP142N4PHQBQ8R7XEH . .1.5.0. .IMEIIMEI 35808401-728365-6- 

65 . . . ! . 

$5 . .microedition . platform. . SonyEricssonS500i/R8BA024 . . . .1.5.0. . .%. 
. N ( ;0 onChatMessageSent . . . ( . . onChatNewSession . . .Q. 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on ■ or email 
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Analytics: Other Methods & Providers 




Many apps send a beacon out when the app is started 

• Can be first- or third-party 

• Typicaly includes phone ID; can include IMEI, geo, etc. 

• Examples: Qriously, Com2Us, Fluentmobile, 
Papayamobile 



BB App World will geolocate users using MCC and MNC to 
determine what content to show in the app store 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 



Android ID Changes 



Typically, Android IDs have followed the format below: 

ANDROIDJD 

2 0 0 Hex encoded IMEI (inc. check digit) 

2 2 MEID? 

3 xxxxxxxxxxxxxxx 

Seeing Android IDs starting to use the full 64-bits and 
decent distribution 

Special case: 9774d56d682e549c is a non-unique 
Android ID (related to a Froyo release bug) 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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Windows Phone 7 Device IDs 




App descriptions in the Marketplace will indicate whether a given 
app will use the account identifier or the phone identifier, both or 
neither. 

Device IDs are 20-byte values (40-byte hex strings) represented in 
the following ways: 

•A1A2A3A4A5B1B2B3B4B5C1C2C3C4C5D1D2D3D4D5 is the usual ASCII 
representation, typically in upper-case 
•A1A2A3A4-A5B1B2B3-B4B5C1C2-C3C4C5D1-D2D3D4D5 
•A1-A2-A3-A4-A5-B1-B2-B3-B4-B5-C1-C2-C3-C4-C5-D1-D2-D3-D4-D5 
•Base64 encoding the integer value of the identifier. The resulting string 
looks like oaKjpKWxsrOOtcHCw8TFOdLTlNU= 

•Long number string (i.e. 

19621225364332011917921824118918419013320401482152118) 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 




Windows Phone 7 App IDs 



All traffic from a Win7 handset appears to carry the GUID 
associated with the app in the HTTP Referer field. 

POST /Service/ServiceElleStyleTag . svc HTTP/1.1 
Accept: */* 

Referer: file: ///Applies t ions/ Ins tall/BB7CDlF6-BCDA- DF11-A844- 
00237DE2DB9E/In stall/ 

Content-Length: 243 
Accept-Encoding : identity 
Content-Type: text/xml; charset=utf -8 
SOAPAction : "urn : ServiceElleStyleTag/Get Places 
User-Agent: NativeHost 
Host: styletag.elle.fr 
Connection: Keep-Alive 
Cache-Control: no-cache 



If the Referer field is 
formatted in this way only 
for WP7 apps, it may be 
possible to use this as a 
mobile TDI against the 
Live account 



<s : Envelope 

xml ns : s=" http : //schemas . xml soap . o rg/ soap/envelope/ 11 ><s : BodyxGetPlacesIn 
Area><centerLat>51 . 899262428283691</centerLat><centerLong>- 
2 . 0722637 1765 13672</centerLong><take>10</take><skip>0</skipx/GetPlacesI 
nAreax/s : Bodyx/s : Envelope> 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 





Windows Phone 7 MSN Ads 



Apps that use MSN’s Mobile Ad service associate with 
the handset’s Live account instead of the handset itself. 

GET /v3/Delivery/Placement? 

pubid=breakO01wp7 

&pid=USM3PB 

&adm=l 

&cf mt=text , image&sft=j peg , png , gif&w=480&h=80 
&fmt=j son 

&cltp=app 

&dim=le 

&nct=l&lc=en -GB&idtp=anid 

&uid=63388195C29A61B3EA2E62EEFFFFFFFF HTTP/1.1 

Accept: */* 

Referer: file:///Applications/Install/DlCD2DCB-7CD5-DFll-A844- 
0237DE2DB9E/ Ins tall/ 

Accept-Encoding : identity 

User-Agent: NativeHost (or occasionally, User-Agent: Windows Phone Ad 
Client (Xna)/5. 1.0.0) 

Host: mobileads.msn.com 
Connection: Keep-Alive 

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 




Windows Phone 7 Marketplace 



The WP7 Marketplace also associates with the handset’s 
Live account, and can include enough metadata to 
indicate that the account is active on a handset. 



GET /v3.2/en-GB/apps? 

orderBy=downloadRank 

&cost=paid&chunkSize=10 

&clientType=WinMobile%207 . 0 

&store=Zest 

&store=020GB 




&store=HTC HTTP/1.1 

User-Agent: ZDM/4.0; Windows Mobile 7.0; 

Host: catalog.zune.net (or origin-catalog.zune.net) 

Connection: Keep-Alive 
Cache-Control: no-cache 

Cookie : AN0N=A=63388195C29A61B3EA2E62EEFFFFFFFF&E=bl 

NAP=V=1. 9&E=ac2&C=WbPWetslRmtl_DSMaoaSyl21N44id48LnRE 
EVrcQ0q8wd6Ds0g&W=l 



This is the ANON 
cookie value for the 
Live account associated! 
with the handset 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on ■ or email 
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Abusing BADASS for Fun and Profit 




Medialytics traffic from Android uses MD5 sum of the Android ID string 
Example: 200142d4dfcd56a9 = DEA9F697DEB0CBBB8433018A0B723BF9 

POST /event HTTP/1.1 
Content-Length: 543 

Content-Tvoe: aoDlication/x-www-form-urlencoded 
Host: t. medialytics. com 
connection: Keep - a live 

User-Agent: Apache -HttpClient/UNAVAILABLE (java 1.4) 



%/=? n£h=n£+nk = CAFEBABE 
&sys=Android 
&svsv=2 .3 .3 

&dev=dea9f697deb0cbbb8433018a0b723bf 9 
krnode L=goog Le+Nexu s+une 

&app=77327b6f00e7aa0f452d9d3ac3e2dl618e0f3aaa 
&appv=2 . 5 . 3-BB70302 
&data=. . . 

Odds are that they’re using something similar for iPhones.... 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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Abusing BADASS for Fun and Profit 




We can use the FKB PCAP testing step as a launching point for a fishing 
expedition... 



(Logical AND) 



Extraction 



Item to be extracted 



Secondary keyword 
Selector type 
String selector 



Case sensitive 



Keyword actions 
Regex 
Apply regex 



Post process 



Presence identifier v 



string v 



APPLICATION LAYER/ 



(-1 me 



( [ a _ f G-9]{32} ) 

directly after keyword 



We use a very basic regular expression and 
restrict the traffic by requiring 
“Host: t.medialytics.com” (not pictured). 
Initially, we don’t add a validator for 
sys=Android. 



Interpret binary as 



This should give us traffic for Android, iPhone and any other platform they’re 
using MD5 sums against. 

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 




Abusing BADASS for Fun and Profit 



BADASS can show us packet dumps of traffic that completely matched the 
rule, and traffic that matched on the selector but failed on the rule. 




Application layer 

0028: ” 



504f 5354 202f 6576 656e 



74 



20 4854 5450 



POST /event 



2f31 2e31 OdOa 4163 6365 7074 3a20 2a2f 



HTTP 

/l.l. -Accept: */ 



Q : AE PLICATION | ANY I F*D 1 1 1 C I POST / event 



1 



Green indicates the selector hitting in the packet payload. 



0018: 
00c8 : 
OOdS : 
00 - 8 : 



6461 7279 3d30 7841 6854 6d4c 624f 754e 



6441 7259 OdOa |436f 7374 3a 


20 74 


2e 6d65 


dArY. .|Hc3t : 


t .me 


6469 616c 7974 6963 732e 636= 6d 


Od 


0a55 


dialytics . com , 


, .U 


7365 722d 4167 656e 743a 20 


52 5445 


2f32 


s er- Agent: 


RTE/2 



00f8: 2e30 2043 464e 6574 776f 7261 2f34 3835 



rFNetwork/485 



Yellow indicates where part of the rule hit. In 
this case, it’s the “Host: t.medialytics.com” 
validator and where a User-Agent extractor 

hit in the traffic. 



The lack of other highlighted regions indicates that there was no hit on the “dev” 
presence identifier... 



This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under 
other UK information legislation. Refer disclosure requests to GCHQ on or email 
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Abusing BADASS for Fun and Profit 



... but that doesn’t mean that the dev identifier isn’t there! It’s just formatted 
differently. 



» : in h o.-v 







Olf 8 


6d4c 


624f 


754e 


6441 


7259 


OdOa 


436f 


6e74 


ralbCuNdAr Y . .Cent 


0208 


656e 


7 4 2d 


4469 


7370 


of 73 


6974 


696f 


6e3a 


ent -Disposition: 


0218 


2066 


6f72 


6121 


6461 


7461 


3b20 


6e61 


6165 


form- da t a : name 


0228 


3d22 


7379 


7322 


OdOa 


OdOa 


6950 
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Abusing BADASS for Fun and Profit 



Using the FKB PCAP test in this manner has shown us 

thot' 

1 ,cu " 1. Medialytic traffic can appear as form-data 

2. Our theory about iPhone traffic having a 
similar structure holds 

3. iPhone traffic is using the MD5 sum against 
the UUID 

4. We can create a rule against the iPhone 
variant with ease (“sys=iPhone OS” vs. 
“sys=Android”) 

and most importantly: 

1. Creativity, iterative testing, domain 

knowledge, and the right tools can help us 
target multiple platforms in a very short 
time period. 
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